Privacy impact assessment (PIA) is a systematic process for evaluating the
potential effects on privacy of a project, initiative or proposed system or
scheme. Its use has become progressively more common from the mid-1990s
onwards.

On the one hand, privacy oversight agencies and privacy advocates see PIAs as
an antidote to the serious privacy-intrusiveness of business processes in the
public and private sectors and the ravages of rapidly developing information
technologies. On the other, governments and business enterprises alike have
struggled to encourage public acceptance and adoption of technologies that are
very apparently privacy-invasive, and have been turning to PIAs as a means of
understanding concerns and mitigating business risks.

This paper distinguishes PIAs from other business processes, such as privacy
issues analysis, privacy law compliance checking and privacy audit, and
identifies key aspects of the development of PIA practice and policy from their
beginnings through to the end of 2007.

1.
Introduction

As late as the second quarter of 2008, the highest citation-counts on Google
Scholar for articles on the topic of Privacy Impact Assessment (PIA) appeared
to be 21, 17, 10 and 9 (for
Carter
2000,
Clarke
1998a,
Raab
2004 and
Flaherty
2000 respectively). The ISI Web of Science catalogue, searching across
titles only and within a much more restrictive set of journals, disclosed
precisely 2 papers, neither with any citations.

The lack of interest in academic circles contrasts with the situation in the
policy arena, where the topic has attracted considerable attention, the
practice is established, and the method is well-documented. PIAs are often
conducted in a highly-charged environment, and the interests of groups with
varying degrees of power are usually in at least apparent conflict, and are
sometimes locked in combat in a zero-sum game. It is therefore important to
document the origins and early history of the method, to inform the inevitable
debates of the coming years.

This paper commences with a brief review of the privacy arena, to provide the
context within which PIAs have emerged. A definition is provided, and key
characteristics of the process described. The paper then identifies related
notions that pre-date PIAs and on which the formulation of PIA processes could
be based. Applications of 'impact assessment' thinking to privacy issues are
identified which pre-date uses of the term PIA. The emergence of the related
terms privacy impact 'statement' and 'assessment' are documented. Important
threads in the development of PIAs in various countries are noted. In addition
to literature relevant to the history of PIAs, references are provided to
definitions, guidelines and exemplars.

2.
Privacy

Privacy has become a major social issue only since the 1960s. Its emergence
as a significant policy consideration can be attributed to the enormous
expansion of threats to it. These have arisen from a combination of the
increased scale of social and economic institutions, the increasingly
professional and mechanistic forms of management in both the private and public
sectors, increasing information-dependence to cope with the reduction in
face-to-face contact, and advances in information technology, all feeding off
one another
(Clarke
1988. See also Flaherty 1989, Bennett 1992).

The 'fair information practices' (FIP) movement emerged from the late 1960s,
partly in Europe, but particularly in the USA in the work of Westin (Westin
1967, 1971; Westin & Baker 1974). Its purpose was less to protect privacy
than to respond to privacy concerns from the perspective of the organisations
that were increasingly impacting on it. The FIP movement involved the
establishment of bodies of principles that purported to provide protections
against the impacts of business practices and technology, while having the
minimum possible impact on business and government administration. The
still-prevalent attitude in US business and government is well-expressed in
this quotation: "I think it quite likely that self-
discipline
on the part of the executive branch will provide an answer to virtually all of
the legitimate complaints against excesses of information-
gathering"(Rehnquist,
1971, then a spokesperson for the US Justice Department, subsequently US Chief
Justice, quoted in Rule et al. 1980, p. 147).

Of the various bodies of principles that were published during the 1970s, a few
sought to impose substantial obligations on organisations (e.g.
HEW
1973,
NSWPC
1977,
PPSC
1977). Most, however, adopted the narrower and (for organisations) less
painful formulations consistent with FIP. A key feature was the power of each
organisation to define the purposes of its data processing systems. This has
the effect that the collection, storage, use and disclosure principles
enshrined in legislation and codes are built on sand, and hence provide only
limited privacy protection. Another device was the establishment of weak
privacy oversight agencies (variously Inspectorates, Registries and
Commissions) with limited powers and limited resources.

The FIP movement achieved an international convention in the form of the OECD
Guidelines
(OECD
1980). The Guidelines' pro-business and anti-privacy purpose was explicit
and unequivocal: to " ... advance the free flow of information between Member
countries and to avoid the creation of unjustified obstacles to the development
of economic and social relations among Member countries"
(OECD
1980). The OECD Guidelines have in turn shaped virtually all laws and
guidelines since the end of the 1970s. New sets are still being produced,
however, as business and government continue to seek relief from what they see
as the more onerous among the impositions of the FIP/OECD model. Two of
significance are the US Administration's 'safe harbor' provisions
(USDOC
2000) and the APEC Privacy Framework
(APEC
2005).

Although the nature of FIP was recognised by some commentators from the outset
(e.g. Rule 1974, Rule et al. 1980), it has only slowly permeated the
consciousness of the wider public. Since 1980, with the exception of a few
elements of the EU Directive
(EU
1995), there has been little further development in privacy protections.
Existing laws still reflect both the pro-business-and-government / anti-privacy
agenda of FIP, and the long-superseded information technologies of the 1970s.
The scene during the closing years of the twentieth century included weak
privacy oversight agencies, frustrated privacy advocacy organisations, and a
public that was increasingly wary and evasive in its dealings with business and
government. The conditions were ripe for a change in approach.

3.
Privacy Impact Assessments

The concept of a PIA emerged and matured during the period 1995-2005. The
driving force underlying its emergence is capable of two alternative
interpretations. Firstly, demand for PIAs can be seen as a belated public
reaction against the increasingly privacy-invasive actions of governments and
corporations during the second half of the twentieth century. Increasing
numbers of people want to know about organisations' activities, and want to
exercise control over their excesses. Privacy oversight agencies call for the
technique to be applied, and privacy advocacy organisations build them into
their calls for action. From this perspective, the conduct of a PIA can be
viewed as the ceding by a large organisation of some of the substantial power
that it exercises over citizens or consumers.

Alternatively, the adoption of PIAs can be seen as a natural development of
rational management techniques. Many applications of information technology
depend on their adoption by people, and compliance by people with the
requirements of the resulting systems. Significant numbers of governmental and
corporate schemes have suffered low adoption and poor compliance, and been
subjected to harmful attacks by the media. Organisations have accordingly come
to appreciate that privacy is now a strategic variable. They have therefore
factored it into their risk assessment and risk management frameworks. 'PIA'
was the language talked by regulators and privacy lobbyists; so government in
particular, and business to a lesser extent, have adopted the term and the
technique.

The meaning ascribed to the term 'PIA' has varied over time and across
jurisdictions. Aspects are discussed progressively through this paper, and a
collection of definitions is provided in
Appendix
1. The interpretation adopted by the author is that a PIA is properly
distinguished from other kinds of activities by the following characteristics:

a PIA is performedon a project or
initiative (i.e. a PIA is distinct from an organisational privacy
strategy);

a PIA isanticipatory in nature,
conducted in advance of or in parallel with the development of an initiative,
rather than retrospectively (i.e. a PIA is distinct from a privacy audit);

a PIA has broad scope in relation to the dimensions of
privacy, enabling consideration of privacy of the person, privacy of
personal behaviour and privacy of personal communications, as well as privacy
of personal data (i.e. a PIA is distinct from a mere 'data privacy impact
assessment');

a PIA has broad scope in relation to the perspectives reflected in
the process, taking into account the interests not only of the
sponsoring organisation, and of the sponsor's strategic partners, but also of
the population segments affected by it, at least through representatives and
advocates (i.e. a PIA is distinct from an internal cost/benefit analysis or
internal risk assessment);

a PIA has broad scope in relation to the expectations against
which privacy impacts are compared, including people's aspirations and
needs, and public policy considerations, as well as legal requirements (i.e. a
PIA is distinct from a compliance assessment, whether against privacy laws
generally, or data privacy laws in particular, or a specific data protection
statute);

a PIA is oriented towards the surfacing both of problems and of
solutions to them (i.e. a PIA is more than just a privacy issues
analysis);

a PIAemphasises the assessment process
including information exchange, organisational learning, and design adaptation
(i.e. a PIA is not merely focussed on the expression of a carefully-worded
privacy impact statement);

a PIA requires intellectual engagement from executives and senior
managers (i.e. a PIA is not a mere checklist ticked through by junior
staff or lawyers).

The following sections trace the way in which this contemporary
interpretation of PIAs came about.

4.
The Emergence of PIAs

This section adopts a chronological approach to the emergence of PIAs, via
its precursors, the concept, and the term 'privacy impact statement', to the
term 'privacy impact assessment'.

4.1
Precursors

There would appear to be two primary intellectual threads that gave rise to
the concept and term 'PIA'.

One is the idea of 'technology assessment', as practised in the
Office
of Technology Assessment (OTA) of the US Congress, 1972-1995, and in a
range of European contexts. An early treatment of the Office's methods is in
OTA
(1977). See also Porter et al. (1980).

The other pregenitor is the 'impact statement'. Its early
application was in the form of Environmental Impact Statements (EIS), which
originated in the 'green' movements of the 1960s. The US implemented a
requirement for an EIS for major projects in 1970, and few jurisdictions in
economically advanced nations are without some kind of requirement. There have
been great tensions in this area, however. EIS are costly, and inevitably
involve considerable delay. There has accordingly been a great deal of
lobbying by powerful corporations, and by development-oriented government
agencies, resulting in a wide array of compromises to the processes and
products.

Of even greater relevance to the history of PIAs has been the cynicism about
the EIS notion that arose among the people affected by major projects. If the
law only requires that an EIS be prepared, then there remain many ways in which
projects could gain approval despite having excessive negative impacts on the
environment. The process that produces the EIS may be subject to inadequate
controls, insufficiently audited, or insufficiently auditable, and hence the
EIS may succeed in glossing over problems. An EIS may gain insufficient media
coverage, and hence a development-minded agency or Government may be able to
ignore illogic, and value negative impacts and negative public opinion very
lightly.

A more substantial notion is 'impact assessment' which is
usefully defined as "the identification of future consequences of a current or
proposed action". The weaknesses of an EIS are countered by the notion of an
Environmental Impact Assessment (EIA). This lifts the focus beyond product
alone to include process, and is a more fully articulated concept, including
prior publication, public consultation, further publication and review.
Official training materials are provided by
UNEP
(2002). Many government agencies provide guidelines. EIS has become the
document that is produced at the end of an EIA, rather than the end in itself.

Privacy is not a focal point of the social impact assessment movement, however.
IAIA does not appear to have recognised PIA as a sub-domain, and its Journal,
after 25 Volumes, does not appear to have published a single article on the
topic.

4.2
Origins of the Concept

The concept now widely referred to as a PIA did not arrive with a
pre-determined name. Hence most of the early publications do not mention the
term.

Data protection laws that pre-dated the OECD Guidelines (e.g. those of Hesse
1970, Sweden 1973 and Austria, Denmark, France and Norway all of which passed
laws in 1978) commonly required registration or licensing, and a check was
necessary to ensure that the data controller's behaviour was in compliance with
the law. Flaherty (1989, p. 405) documents instances where
pre-decisional assessments were occasionally used in some
European countries such as the Scandinavian countries and the U.K., and Bygrave
(2002) points out that the Norwegian Data Inspectorate was required to assess
"whether the establishment and use of the register in question may cause
problems for the individual person ..." (s. 10, Norwegian Personal Data
Registers Act of 1978, since superseded). Impact Assessment involves a much
broader study than merely compliance with a specific law; but interpretations
and discretions within those laws would have doubtless enabled the privacy
oversight agency to make some contributions along the lines of what would later
be referred to as a PIA. See also Bennett (1992).

The process was institutionalised in 1995 in Article 20 of the European
Directive, which mandated what is referred to as 'prior
checking' against applicable standards, particularly of sensitive
information systems. This is further discussed in
section
5 below.

The concept is also evident in an important, early document on the other side
of the Atlantic: "Each time a new personal data system is
proposed (or expansion of an existing system is contemplated)
those responsible for the activity the system will serve, as
well as those specifically charged with designing and implementing the system,
should answer such questions as ... What purposes will be
served by the system and the data to be collected? How might these purposes be
accomplished without collecting these data? ..." (HEW 1973, p.51).

The final paragraph of Chapter 13 of a US Study Commission's report,
PPSC
(1977), states "Perhaps the most significant finding in the
Commission's assessment of the [US] Privacy Act [1974] arises from its
examination of the vehicles available for evaluating and assessing existing
record systems, new systems, and agency practices and procedures. Quite
simply, there is no vehicle for answering the question: "Should a particular
record-keeping policy, practice, or system exist at all?" While the
Act takes an important step in establishing a framework by which an individual
may obtain and question the contents of his record, it does not purport to
establish ethical standards or set limits to the collection or use of certain
types of information. Without such standards, however, the principal threat of
proliferating records systems is not addressed. Nowhere, other than in the
ineffective section requiring the preparation and review of new system notices,
does the Act address the question of who is to decide what and how information
should be collected, and how it may be used. To deal with this situation, the
Congress and the Executive Branch will have to take action" (emphasis added in
this paper).

It would therefore appear that the concept, although not yet the term, was in
use in some quarters as early as the first half of the 1970s. Moreover, the
notion was sufficiently well-developed for a national commission to frame one
of its 160 recommendations around it (and indeed one that survived the
endeavours of the Ford Administration to reduce the report's scope, although
the Recommendation was not taken up).

A later reference to a procedure readily recognisable as an antecedent to the
PIA process appears in Australian legislation relating to the specific practice
of data matching (referred to as 'computer matching' in the USA). The
Data-Matching
Program (Assistance and Tax) Act 1990 included in
Schedule
1 a requirement for a 'program protocol'. This is closely
related to the PIA notion in that it includes requirements to document "the
justifications for the program, ... what methods other than data matching were
available and why they were rejected [and] any cost/benefit analysis or other
measures of effectiveness which were taken into account in deciding to initiate
the program" (para. 3.1).

Another thread that contributes to the emergence of PIAs is
cost-benefit analysis (CBA). This is a cluster of techniques
that enable the evaluation of a project based on narrow financial criteria, or
on broader financial and non-financial factors, or on a yet broader range of
factors in order to reflect perspectives additional to that of the sponsor.
CBA was applied to the assessment of computer matching projects in
Clarke
(1995a). The proposal for a regulatory scheme for computer matching in
Clarke
(1995b) includes the equivalent of a PIA, although it does not use the term
and it focusses more heavily on the scheme's benefits and costs than on its
impacts and disbenefits.

In keeping with usage in the precursor context of environmental impact, the
original concept was of a 'statement' prepared as a condition precedent to
approval of a project or to parliamentary debate about legislation. Flaherty
has stated that he can document the use of the term as early as the 1970s
(2000,
footnote 3). However the first literature reference to the term 'privacy
impact statement' located by this author is a passage published by Flaherty in
1989, quoting a 1984 document of the Canadian Justice Committee: "The Justice
Committee recommended ... the submission of a privacy impact statement
[by an agency to the Canadian Privacy Commissioner] in relevant situations.
The Cabinet ... rejects the formal requirement of an impact statement to
accompany each piece of legislation [footnoted to Re Ternette and Solicitor
General of Canada, Dominion Law Reports 10, 4th ser. (1984): 587]" (Flaherty
1989, p.277-278, emphasis added in this paper).

Flaherty also uses the term at two other locations in the same book: "The data
protection agency can ... [prepare] its own evaluations of the potential impact
on personal privacy of proposed legislation and information systems. ... It
is important that small data protection agencies encourage the main government
departments to prepare their own initial reviews of the impact of new
technology, preferably in the form of 'privacy impact statements' ..."
(Flaherty 1989, p.405, emphasis added in this paper); and "The US Privacy
Protection Study Commission wisely recommended the preparation of a privacy
impact statement for each piece of federal legislation" (p. 413, fn. 26,
emphasis added in this paper). A search of PPSC (1977) does not detect any use
of term, although the concept (as discussed earlier) is indeed evident.

Several years later, also in Canada, and at the point in time when PIA began to
become mainstream, a paper on smart cards by staff of the Ontario Information
and Privacy Commissioner's office included a "sample privacy impact
statement" (IPCO 1993, emphasis added in this paper). It is unfortunately
not part of the version of the document that is currently available on the Web.

The term that has been current since the mid-1990s is the more comprehensive
'PIA'. In addition to resulting in a less unattractive acronym, it has the
effect of emphasising process rather than product, and encompasses published
information, consultation, publication and review.

The earliest mention of the term that the author has identified is advice
provided by Lance Hoffman (private communication, 2004) that he assisted in the
preparation of a Berkeley, California ordinance requiring a Privacy Impact
Assessment, and that the ordinance is included in Hoffman (1973). Some years
later, Daniel et al. (1990) focussed on privacy impacts of traffic management
technologies (a predecessor term for what is currently referred to as
Intelligent Transportation Systems), but referred to 'social impact assessment'
rather than PIA. Stewart advised (private communication, 2004) that the term
was used in Longworth (1992).

Early contributions were made by the then Ontario Privacy Commissioner Tom
Wright (IPCO 1993,
1994,
1995,
1997)
and by the then British Columbia Privacy Commissioner David Flaherty (Flaherty
1994, 1995). The earliest mention of the term for which the author can provide
a copy is a recommendation to the Ontario legislature "Pro-active Consideration
of Access and Privacy Implications" in the form of "a regulation that requires
institutions to conduct a privacy impact assessment, as defined in the
regulation, prior to the introduction of any computer information systems"
(IPCO
1994, at s. 50, emphasis added in this paper).

By the mid-1990s, Privacy Commissioners and a small number of specialist
consultants and academics, variously in Canada, New Zealand and Australia were
thinking about PIAs in a systematic manner as an "essential tool for data
protection" (Flaherty 2000). The idea spread rapidly around the policy
community, although, as will be discussed below, the formalisation of tools to
implement the PIA process took a further 5-10 years to mature.

5.
Articulation

Developments in PIA philosophy, law and practice occurred in parallel in
various countries, and differed among them, in some respects substantially.
Because this paper's focus is on the history of PIAs, it does not attempt a
thorough intellectual examination, but merely identifies key aspects. It draws
on a variety of sources, including
ICO
(2007a) and the detailed Appendices to that Study, C to I inclusive.

This section outlines developments in approximately chronological order, in the
jurisdictions that, in the author's view, made the most significant
contributions. The section is supported by Appendices that identify
definitions, examplars and guidelines. The subsequent section identifies some
key themes.

In 1996, Blair Stewart, Deputy N.Z. Privacy Commissioner, published two of
the earliest formal papers on PIAs, in the Australasian journal Privacy Law
& Policy Reporter
(Stewart
1996a,
1996b).
Stewart also organised a discussion session on PIAs in Christchurch, New
Zealand, on 13 June 1996
(Flaherty
2000).

In 1996-97, in the context of public concerns about a driver licensing scheme,
the then Commissioner, Bruce Slane, adopted a policy of encouraging PIAs in
particular circumstances. In January 1999, the NZPC published a 'Guidance Note
in Information Matching Privacy Impact Assessments'. This was restricted in
its scope to matching programmes, which are the subject of specific
requirements under the Act. The current version of the document is dated 2006.
A hard-copy collection of 'Approaches, Issues And Examples' was published as
Stewart (2001), and a further paper appeared as
Stewart
(2002).

In 2002, the NZPC published a 'Privacy Impact Assessment Handbook'
(NZPC
2002). The Handbook acknowledges the authorship of Blair Stewart, prior
and parallel work in Alberta, Ontario and British Columbia, and interactions
with Hong Kong. It also references prior publications by Stewart
(1996a,
1996b,
1999,
2001),
Flaherty
(2000) and
Waters
(2001). The New Zealand Commissioner hosted an international symposium on
PIAs in 2003.

As noted in the previous section, the then Privacy Commissioners of Ontario
and British Columbia were also very early movers. Alberta moved soon
afterwards, and almost all Provinces have become active users of PIAs, in name
at least.

In Ontario, since the late 1990s, the principal driver behind
government policy in relation to PIAs was not the privacy oversight body, but a
central agency called the Management Board Secretariat (MBS). As early as June
1998, a completed PIA became a pre-requisite for approval of Information and
Information Technology (I&IT) project plans submitted for Cabinet approval.
Guidelines were published in December 1999
(MBS
1999). With effect from 2006, the function has been absorbed within the
Ministry of Government Services (MGS).

As noted earlier, the academic book Flaherty (1989) included an outline
description of what a PIA entailed. During his subsequent term as Privacy
Commissioner of British Columbia from 1993 to 1999, Flaherty
took the opportunity to apply the theory. Within the province's public sector,
PIAs of some kind were mainstream, although not mandatory, by the late 1990s.
Impetus was provided by a public furore over disclosure of the City of Victoria
property value assessments on its public website
(Flaherty
1998).

In 2002, the B.C.
Freedom
of Information and Protection of Privacy Act was amended such that s. 69(5)
requires agencies to conduct PIAs for "a new enactment, system, project or
program". The process has been supported by guidance since as early as 1998. A
database of PIA summaries has been maintained since then, which had reached a
count of about 150 by the end of 2007. The scope is limited, however, to the
determination of their compliance with the Act, i.e. it is little more than a
data protection law compliance check and falls a long way short of being a
comprehensive PIA.

In Alberta, s.64 of the Health Information Act, passed in
1999, imposes on public agencies in the health care sector the requirement to
conduct PIAs. In devising the process, the architects drew on their background
in environmental management. The scope is defined as being "proposed
administrative practices and information systems relating to the collection,
use and disclosure of individually identifying health information [that] may
affect the privacy of the individual who is the subject of the information".
PIAs are not mandated elsewhere in the Alberta public sector. However a
central agency, Services Alberta, provides guidelines in relation to their
conduct
(SA
2005).

In Australia, as indicated above, an early form of PIA referred to as a
'program protocol' was imposed on a particular family of data matching programs
by s.12 and the associated Schedule to the
Data-Matching
Program (Assistance and Tax) Act 1990. Non-binding guidelines for
application to other data matching programs were published shortly afterwards
(OFPC
1992). Both sets were prepared by Nigel Waters, Deputy to the then Privacy
Commissioner, Kevin O'Connor.

The earliest mention of the term 'PIA' found in Australian sources appears to
be a 1995 acknowledgement by the Telecommunications Industry Ombudsman that
PIAs had a role to play (referred to in
Dixon
1997). Further stimulation arose from
Stewart
(1996a and
1996b)
which, although authored by a New Zealander, were published in an Australasian
journal.

In 1997, a call was made for implementation of PIAs, invoking both Stewart's
publications and Flaherty's work in British Columbia
(Dixon
1997). Soon afterwards, descriptions of the PIA process at lesser and
greater depth were published in Clarke
(1998a,
1998b).

In December 2001, the then Privacy Commissioner, Malcolm Crompton, issued
'Guidelines for Agencies using PKI to communicate or transact with individuals'
(OFPC
2001). A draft set of generic guidelines was released for public
consultation in 2004, and published in final form by Crompton's successor two
years later
(OFPC
2006).

In 2004, the State of Victoria issued a guide
(OVPC
2004). The other major State, New South Wales, is supportive of PIAs but
has lacked the resources and Government commitment to pursue the matter.

At federal level in Canada, significant impetus was provided in 2000 by "the
highly publicised debacle over Human Resources Development Canada's (HRDC)
Longitudinal Labour Force File (LLF) whose ... dismantlement, following public
complaints about the database, cost the department millions of dollars"
(Bloomfield
2004. See also
HRDC
2000).

Policy responsibility in relation to the conduct of PIAs rests with a central
agency, the Treasury Board, which has published guidance and a tool (TBC
2002a,
2002b,
2003).
The guidelines require that "initiatives ... comply with privacy requirements
and ... resolve privacy issues that may be of potential public concern"
(TBC
2002a, p. 4), and the process is accordingly not limited to compliance with
privacy laws.

The Office of the Privacy Commissioner has an audit and review function, and an
Audit Report containing multiple recommendations for improvements was published
in late 2007
(OPCC
2007).

In early 2000, the then Privacy Commissioner, Stephen Lau, advised the
Immigration Department to conduct a PIA in respect of the planned replacement
of the HKSAR ID Card. As a result, the scheme was the subject of a PIA at each
of four phases between 2000 and 2004. The first PIA Report was published
(Pacific
Privacy 2000), but the subsequent three appear not to have been. Some
other PIAs have been undertaken, but no formal guidelines have yet been
published.

It might appear incongruous that the USA has not appeared earlier in this
section, given that guidance from the Office of the Privacy Advocate in the
Internal Revenue Service (IRS) dates from December 1996. This was reflected
over time in similar documents prepared by a range of other agencies, and some
further impetus was provided by the Electronic Government Act of 2002. The
reason for de-valuing these activities is that their contributions to the
development of PIA law, policy and practice have been largely negative.

In the current version of the
IRS
guidelines, for example, which date from 2000, the language used is
expansive, but the actual activity that they require is very limited. The
document refers not to the 'conduct' of a PIA but to its 'completion',
indicating that it is perceived as a product rather than as a process that
influences design. Worse, it is driven from the very limited and patchy
provisions in US statutes, and not from an examination of the proposal and its
impacts. This is fairly typical of the US federal approach to privacy, which
has always been pragmatic and reactive rather than substantive and anticipatory
(Bennett 1992).

The Department of Homeland Security's Privacy Officer has authority under s.
222 of the Homeland Security Act of 2002 to require PIAs. A
Privacy
Threshold Analysis (PTA) instrument is used to determine whether a PIA is
required. The examinations required are so superficial, and so unrelated to
actual privacy needs and expectations, that extraordinarily privacy-invasive
measures have been instituted in a wide range of systems that perform at least
nominal roles in the Bush Administration's 'war on terror'. Such activities
are PIAs in name only. Their actual form is that of a mere data protection law
compliance checklist. With rare exceptions, the USA remains a wasteland from
the viewpoint of privacy policy.

Outside government, the ideology of the US private sector is hostile to the
notion that consumers might have a participatory role to play in the design of
business systems. This is of considerable significance internationally,
because US corporations have such substantial impact throughout the world.
Their lack of appreciation of the privacy impacts of their operations, and of
the annoyance that their arrogance causes, has given rise to substantial
clashes between the privacy cultures and legal frameworks of the USA and
Europe.

One device for forestalling legislative provisions is the creation and
publication of a technical or management standard or code. A US standard for
PIAs exists in the form of ANSI (2004); but this was merely a limited response
to the provisions of the US Financial Services Modernization Act of 1999
(usually referred to as the Gramm-Leach-Bliley Act). Corporations that wish to
sustain the privileged position that they achieved through the FIP movement
exist in many countries other than the USA. An international standard is being
developed through a committee of the International Standards Organisation:
ISO/IEC
JTC-1 SC-27 WG-5. As is commonly the case with standards organisations,
these processes have lacked the least vestige of consultation with people, or
with their representatives or advocates for their interests.

As late as the end of 2007, there was still very little evidence of PIAs at
State level. Even in California (whose population of 36 million is exceeded by
only 6 members of the EU, and whose GDP is much the same as that of the U.K.
and of France), the only signs of progress have been a 2006-07 legislative
debate over a Bill that mentioned PIAs, and a bland (and, at the time of
writing, unfulfilled) statement by the State's Office of Privacy Protection
that it is developing a method and tools for agencies to use.

The term 'PIA' and the processes that a PIA involves have largely been
developed in the Anglophone world. Academic literature searches in 2007
generated virtually no material in the English language focused on PIAs in
Member States of the European Union (EU), and a practitioner literature search
did no better
(ICO
2007a, Appendix H). The term PIA has certainly been known in some European
countries, however, not least The Netherlands. See, for example,
Kenny
& Borking (2002).

Article 20 of the 1995 EU Directive
(EU
1995), headed 'Prior Checking', states that: "Member States shall
determine the processing operations likely to present specific risks to the
rights and freedoms of data subjects and shall check that these processing
operations are examined prior to the start thereof". The requirement appears
to have been implemented in the laws of some 17 of the EU nations. The form in
which it is expressed is highly varied, however, and the coverage is very
patchy. Moreover, the actual extent to which the various laws are respected is
far from clear.

In the U.K. in April 2002, a Cabinet Office document advocated the use of PIAs
to promote more consistent decision making across public services on privacy
and data sharing issues. (Recommendation 19 and Annex D of
UKCO
2002, reported in
Stewart
2002). In 2007, the U.K. Information Commissioner's Office commissioned a
project to deliver a comprehensive review of PIA law, policies and practices
around the world
(ICO
2007a, on which this paper has drawn heavily), and a PIA Handbook
(ICO
2007b).

At least two other EU countries appear to be moving in the direction of PIAs.
Finland has proposed a model that has a resemblance to the PIA models found in
Canada, Australia and New Zealand (DPOF 2007). In addition, the Irish Data
Protection Commissioner's Office has recommended the conduct of a PIA in
relation to any proposal to apply biometrics in the workplace or school
(DPCIE
2007).

6.
Key Themes

This section identifies a small set of key themes that arise from a survey
of laws, policies and practices relating to PIAs around the world. The themes
selected as being of greatest significance are the scope of the PIA concept,
the balance between mandation and voluntary conduct of PIAs, and the areas in
which PIAs have been applied.

The definitions used in various publications are provided in
Appendix
1. In some jurisdictions, especially the USA but also a number of Canadian
Provinces, the scope is so limited that the activity is not really impact
assessment, but merely data protection law compliance audit. In most
jurisdictions, however, the scope is reasonably broad, and a PIA is primarily a
process, with the PIA Report treated as just one of the deliverables rather
than as an end in itself.

In a few cases, the requirement to undertake a PIA has been enshrined in law.
Any mandation of PIAs is generally worded carefully, however. Requiring that
one be conducted for every project is likely to be counter-productive because
it tends to encourage merely formal checklist-filling rather than intellectual
engagement with the issues. It is more common for organisations to be required
to consider whether a PIA is needed. Hence, in most jurisdictions, PIAs are
regarded as an instrument of policy.

In many jurisdictions, the PIA process is motivated by the need for public
trust, and is framed in terms of risk management. That was evident in the EU
Directive in 1995, and has been commented on by, among others,
Raab
(2004). The evolution of PIAs needs to be seen within the context of
larger trends in advanced industrial societies to manage 'risk' and to impose
the burden of proof for the harmlessness of a new technology, process, service
or product on its promoters. Personal information systems should be "regarded
as (relatively) dangerous until shown to be (relatively) safe, rather than the
other way around" (Bennett & Raab 2006, p. 62).

From the late 1990s onwards, PIAs were increasingly recognised as an idea whose
time had come. Guidelines have been published, some by privacy oversight
bodies, some by central agencies, and others by consultants. Many sets of
Guidelines are of the nature of checklists, and can easily lead to the
generation of documents that evidence a superficial understanding of the
privacy issues arising from the project.

Other sets of Guidelines, on the other hand, are educational, and intentionally
designed to stimulate constructive approaches to what are usually complex and
multi-dimensional problems. Placement within the context of risk management is
particularly noticeable in the Guidelines of Ontario
(MBS
1999), Canada
(TBC
2002b,
OPCC
2007), Alberta
(SA
2005), Australia
(OFPC
2006) and the U.K.
(ICO
2007b).
Appendix
3 identifies all sets of PIA guidelines known to the author, classified
into recommended authorities, early documents, and other current documents.

The performance of PIAs has to date been predominantly a public sector
activity. Many of the guidelines apply equally to the private sector, however,
and there are instances in most jurisdictions of the technique being applied at
least in the context of public-private partnerships, and in some cases by
industry associations and corporations as well.

7.
Conclusions

Since its emergence in the mid-1960s, privacy protection has been
constrained by the Fair Information Practices model to a framework that has
been more protective of corporate and government interests than of people's
data, let alone of people themselves. The early emphasis was on bodies of
principles that could be applied to individual organisations, business
processes, and projects. Among the challenges that confronted this approach
were the dominance of the FIP notion, and the enormous diversity of business
and government, and of applications of information technologies. The bodies of
principles are accordingly riddled with exemptions and exceptions, and have
been continually undermined by subsequent laws.

Since the mid-1990s, PIA has established itself as an important tool. It can
be distinguished from processes such as compliance checks and privacy audits
because of its anticipatory, positive and risk-management orientations. The
PIA meme is already mature in several countries, most notably in Canada and
Australia, is making advances in other countries such as the New Zealand and
the United Kingdom, and has gained a toe-hold in Hong Kong. It may be emergent
in countries on the Continent of Europe, although the technique is of course
subject to local variants and local naming conventions.

On the other hand, PIAs as defined in this paper are almost non-existent in the
USA In the US public sector, government agencies have subverted the term to
refer to a mere legal compliance study; and US private sector philosophies
reject the notion that public policy and consumers have a role to play in the
design of business systems. The lack of comprehension of privacy issues among
US corporations has serious implications, because of their continuing
endeavours to apply privacy-invasive technologies and business processes
throughout the world, and to negotiate privacy protection laws down to the low
level prevalent in their domestic economy.

Outside the USA, PIAs have become an instrument whereby commentators and
advocates can demand more information and more consultation, and privacy
oversight agencies, despite their dismal lack of formal powers, can argue for
deeper consideration of privacy by government agencies and corporations.
Organisations perceive them as a means to analyse and manage risk, and it
appears that this positive approach may be in the process of overtaking the
hostile, reactionary approaches such as industry standards, and attempts to
re-kindle the Fair Information Practices movement.

The coming years will tell whether PIAs achieve their aims of surfacing issues,
involving the public, and ensuring a multi-stakeholder approach to initiatives.
Without PIAs of the kind described in this paper, it will be difficult to
achieve appropriate balances among conflicting interests, and to avoid serious
harm to return on business technology investments resulting from high levels of
distrust by consumers of corporations, and by citizens of governments.

Appendix
1: Definitions

The two earliest definitions of Privacy Impact Assessment
found in the literature are:

"What is a PIA? There is no statutory definition of a PIA in NZ or
Australia. Nor is there any internationally accepted definition. To promote
discussion I tentatively suggest that a PIA is a process whereby a conscious
and systematic effort is made to assess the privacy impacts of options that may
be open in regard to a proposal. An alternative definition might be that a PIA
is an assessment of any actual or potential effects that the activity or
proposal may have on individual privacy and the ways in which any adverse
effects may be mitigated. I should confess that the two definitions are
derived from definitions of environmental impact assessment but with the
substitution of the word `privacy' where `environment' would normally appear. I
have chosen to do this not simply for convenience but because I have observed
some correlations between environmental impact assessment and privacy impact
assessment"
(Stewart
1996a)

"a process whereby the potential impacts and implications of proposals
that involve potential privacy-invasiveness are surfaced and examined"
(Clarke
1998b)

The following list of definitions of Privacy Impact Assessment from
documents published by national and sub-national privacy oversight agencies
draws heavily on
ICO
(2007a, p. 3):

New Zealand: PIA is defined as "a systematic process for evaluating a
proposal in terms of its impact upon privacy"

Canada: PIAs "provide a framework to ensure that privacy is considered
throughout the design or re-design of a programme...[and to] identify the
extent to which it complies with all appropriate statutes". This is done to
"mitigate privacy risks and promote fully informed policy"

Australia: PIA is an "assessment of actual or potential effects on
privacy, and how they can be mitigated"

New South Wales: "PIA involves a comprehensive analysis of the likely
impacts of a project upon the privacy rights of individuals. It is a little
... like an environmental impact assessment done for a new development
proposal. The assessment can ensure that any problems are identified - and
resolved - at the design stage. PIA is not only about ensuring compliance with
the relevant information privacy laws (such as the PPIP Act and the HRIP Act),
but can also help to minimise the risk of reputational damage by identifying
broader privacy concerns (such as bodily or territorial privacy impacts)"

Alberta: "A privacy impact assessment (PIA) is a process that assists
public bodies in reviewing the impact that a new program, administrative
process or practice, information system or legislation may have on individual
privacy. The process is designed to ensure that the public body evaluates the
project or initiative for technical compliance with the FOIP Act and also
assesses the broader privacy implications for individuals. A PIA is both a due
diligence exercise and a risk management tool. The PIA process requires a
thorough analysis of the potential impact of the initiative on privacy and a
consideration of measures to mitigate or eliminate any negative impact. The PIA
is an exercise in which the public body identifies and addresses potential
privacy risks that may occur in the course of its operations"

United States of America: "PIA is an analysis of how information in
identifiable form is collected, stored, protected, shared and managed...[to]
ensure that system owners and developers have consciously incorporated privacy
protection throughout the entire life cycle of a system"

Appendix
2: Exemplars

This Appendix identifies the earliest-known examplars of PIA Reports,
together with sources of PIA Reports in a number of jurisdictions.

Flaherty D. (1998) 'An investigation concerning the disclosure of personal
information through public property registries' Office of the Information and
Privacy Commissioner of British Columbia' Investigation P98-011, 31 March
1998, at
http://www.oipcbc.org/investigations/reports/invrpt11.html

IPCO (1994) 'Suggested Changes to the Municipal Freedom of Information and
Protection of Privacy Act: Submission to The Standing Committee on the
Legislative Assembly', Information and Privacy Commissioner/Ontario, January
1994, at
http://www.ipc.on.ca/index.asp?layid=86&fid1=227

IPCO/ACTA (1997) 'Smart, Optical and Other Advanced Cards: How to do a
Privacy Assessment', Information and Privacy Commissioner/Ontario and Advanced
Card Technology Association of Canada, September 1997, at
http://www.ipc.on.ca/images/Resources/up-cards.pdf

OFPC (2001) 'Privacy and Public Key Infrastructure: Guidelines for Agencies
using PKI to Communicate or Transact with Individuals' Office of the Federal
Privacy Commissioner, December 2001, at
http://www.privacy.gov.au/publications/pki.doc

SSNYPSC (1991) 'Statement of Policy on Privacy in Telecommunications' State
of New York Public Service Commission, 22 March 1991, reprinted in Information
and Privacy Commissioner of Ontario submission to the Ontario Telephone Service
Commission 'Privacy and Telecommunications', September 1992

Acknowledgements

A preliminary version of this paper was prepared in February 2004, which
formed the basis for a presentation at Queens University, Kingston Ontario, on
9 June 2004. Many people provided assistance during the preparation of that
version, including Blair Stewart (NZ), Nigel Waters, Graham Greenleaf, Philip
George and Chris Connolly (AU), Ann Cavoukian, David Flaherty, Peter
Hope-Tindall, Pierrot Peladeau and Stephanie Perrin (CA), Dave Banisar, Robert
Gellman, Lance Hoffman and Willis Ware (US), Herbert Burkert (Germany), and Lee
Bygrave (Norway).

The next opportunity to further develop the paper did not arise until the
second half of 2007, when a team led by Loughborough University was
commissioned by
the
U.K. Information Commissioner's Office to undertake an international study
of laws, policies and practices relating to PIAs around the world
(ICO
2007a), and prepare a PIA Handbook
(ICO
2007b). The author greatly appreciates the assistance of his colleagues on
that project, Robin Bayley, of
Linden
Consulting Inc and Prof. Colin Bennett of the University of Victoria, both
in Victoria, British Columbia, Andrew Charlesworth of the University of
Bristol, and Adam Warren (Project Manager) and Prof. Charles Oppenheim (Project
Director), both of Loughborough University. The permission of the Information
Commissioner's Office's to reproduce relevant material arising from that Study
as part of this paper is also acknowledged.

All evaluative comments, however, are the responsibility of the author alone.

The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.